Skip to content

Sprint Planning Meeting 2020 08 20

Jump to bottom
Erik Moeller edited this page Aug 21, 2020 · 1 revision

Sprint Planning Meeting, SecureDrop, August 20, 2020

Sprint timeframe: Beginning of Day (PDT) 2020-08-20 to Beginning of Day (PDT) 2020-09-02

1) Retrospective

What we said we would do:

  1. Start building test packages for Focal
  • Add build logic to SecureDrop Core
  • Add Focal channel to apt-test
  • Resolve Python 3.8 compatibility issues

Sprint goal partially met:

  • We have a make build-debs-focal target
  • We have a packaging channel on apt-test for focal packages.
  • Symlink issue was resolved, no symlink required
  1. Complete phase 1 of template consolidation for SecureDrop Workstation
  • Inventory template-specific configurations
  • Create more detailed implementation plan as a result of smaller R&D spikes

Sprint goal fully met:

  • Inventory and implementation plan completed
  1. Support SecureDrop fundraising event [not tracked as sprint tasks]

Sprint goal fully met: Event was a success, with first positive results.

Additional accomplishments

  • Whole team participated in FPF unconference on racial justice & diversity
  • Great progress towards MVP implementation plan for read/unread including proposed server-side changes
  • We have full screenshot coverage in Weblate!
  • Joan made her first docs PR and has learned a lot about how SecureDrop works.
  • We have a leading candidate for the root cause of the SecureDrop Workstation kernel issue.
  • Great contributions by volunteer @gonzalo-bulnes for consistent usage of product names.
  • An interesting project joined Reproducible Builds: https://reproducible-builds.org/projects/ =D
  • https://reproduciblewheels.com/ at 100%!!!!
  • Comment from a security researcher: loved your talk! great advice for devs in there, and it is sort of related to my research. I think that properly checking hashes would completely mitigate my attack -- but nobody really does it all the time in the real corporate world

Other team comments

What worked well:

  • Highly complex work was planned collaboratively: focal packaging, read/unread, template consolidation +3
    • As part of sprint planning, let's think about what kind of technical collaboration and planning may be required. +1
  • Learning time has been stimulating and productive, folks are sharing results of learning time with each other and building on it
  • Focal prs were merged/closed with help from the team.

What could be improved:

  • (Erik) Sprint load still too heavy, everyone was predictably fried on unconference days +1
    • +1 to "still" but I do think we're getting better about being realistic. The emphasis on "planning" tickets vs "implementation" tickets shows that
  • OSSEC packaging documentation

What's still a puzzle:

  • In the quest for reproducible builds, how much complexity can we dispose of? For example, the FPF PyPI mirror may have strong security benefits, aside from reproducibility

Learning time debrief

  • Watched lots of defcon 2020 youtube vids
  • Began reading "Linux Basics for Hackers" where there's a "Becoming Secure and Anonymous" and "Managing the linux kernel" sections I'm looking forward to getting into
  • (Conor) More exploration of reproducible builds, highly illuminating and honestly quite fun. Do try the "diffoscope" and "reprotest" tools if you haven't!
  • (Kushal) DEF CON was good. Met a lot of new contacts and some old ones.
  • (Erik) Made some good initial progress in understanding how layouting works in the SecureDrop Client, want to dig in further as part of solving a small issue with reply placeholders on the sprint.

2) Review key dates and time commitments

Until 2020-09-14        : Ro on personal leave
2020-08-21              : FPF Holiday
2020-08-24 to 2020-08-28: PTO: Kevin
2020-08-25              : Tails 4.10 release (we'll bulk-announce)

After sprint period:

2020-09-07              : FPF Holiday / Labour Day

2020-09-08              : QA for SecureDrop 1.6.0 starts (feature freeze)
                          Important for server-side changes related to read/unread

2020-09-22              : SecureDrop 1.6.0 release / Tails 4.11 release
  • Probably a Friday PTO for Conor
  • Probably a Monday PTO for Allie

3) Agree upon top 3 priorities for the next two weeks

  1. Ubuntu 20.04 transition: Get Focal packages to build successfully, then set up make staging-focal target

  2. Read/unread: Scope and begin implementing server-side changes, with an eye to merging all changes required for a read/unread MVP before the September 8 feature freeze.

  3. Template consolidation: Begin phase 1 of implementation (creating the preconditions for consolidation).

  • Further threat modeling and analysis re: MIME type handling
  • Create symlinks for mimetype association in private volume
  • Move securedrop-proxy configuration files to /home/user

4) Select and estimate tasks

https://docs.google.com/spreadsheets/u/0/d/1jO6g_ObW9DnJ9tMEq1Sf2PtXtLQBrousywIrAiJr0vY/edit

Clone this wiki locally